Interview: Craig Hinkley, CEO of WhiteHat Security

At the end of last month, WhiteHat Security founder and CTO Jeremiah Grossman left the company. To paraphrase Factory Records founder Tony Wilson's statement in the film 24 Hour Party People that “No band ever survives the departure of their lead singer”. So with Grossman’s exit from the full time job confirmed, what is next for the company without its influential talisman?

A year ago, Craig Hinkley was appointed as CEO of WhiteHat Security after Grossman had taken on the interim role. Born and raised in Australia, Hinkley arrived in the USA 19 years ago, and I wanted to know what had attracted him to this company and this position.

“WhiteHat Security is a great company with a great brand and reputation in the security market, and as we think about exploit and attack, the company is growing and blossoming and that is why customers come to us. We have 150 researchers in the company and we are well poised.”

Previously SVP of network infrastructure at Bank of America, he also ran technology strategy for Cisco, became the general manager of the networking business at HP and ran the LogLogic platform at Tibco Software, which he left to join WhiteHat Security. So where do WhiteHat Security fit into the industry now?

He said that big bugs like Heartbleed, Shellshock and Drown are bringing people to WhiteHat Security, while the second reason is due to public hacks in the marketplace and a need to understand where the vulnerabilities are. Finally, the lack of talent in the marketplace requires more automation and remote vulnerability scanning.

Talking about the big vulnerabilities, Hinkley said that after the Drown vulnerability was announced, he was presenting at this year’s RSA Conference with F5 Networks focusing on integration and active defense system and standard tech. “We could tell customers of WhiteHat Security if they were vulnerable as soon as it came out, as with our scanner we know if they are vulnerable and due to integration, we can automatically notify F5 customers and block any attacks exploiting the Drown vulnerability,” he said.

“A lot of boards care about cybersecurity and ask what is happening and ask if they are vulnerable, and this is driving a lot of companies to need to know if they need protection. We are driving business with continuous scanning at scale and eliminating false positives, so we see that there is a real vulnerability to mitigate.”

So what about the people factor, and how does that impact vulnerability scanning and assessment? Hinkley said that CISOs report that the biggest challenge is finding information security talent to hire to build out a program.

“If a company is in the top 10 of the Fortune 100, they can hire people but if those people are not in the upper tier, they look for solutions like WhiteHat Security which are SaaS-based which provide an outcome. People say to us that they could not achieve a level of security without WhiteHat Security as they are scanning at scale so focus on foundational security. I call it ‘actionable incredible intelligence engine’, and that is one of the reasons why there has been a huge uplift in our business.”

Hinkley claimed that CISOs understand what needs to be protected, but few focus on the business value they are trying to deliver, and having talked to six top ten CISOs (in their industry), what alarmed him is that all vendors have the same message – the problem is not with the tools, but using them and two were putting a hold on buying tools or bringing in services and plan to use more managed services.

Hinkley said that the power is with CISOs now in where they buy services and capabilities to create an operationalized program. “How they take vulnerabilities and do development, and a fundamental pivot is how people go to cloud and build their own stack. That is the model the industry is moving to and a primary driver is a lack of skills and talent.”

So what about common vulnerabilities that appear in the OWASP top ten, such as SQLi and cross-site scripting? Hinkley said that they remain common and still need fundamental action, and users know that if they scan continuously it can show what is fixed and use the service to show a reduction of the fundamental problem.

“In our WhiteHat Security Index, we look at the type of vulnerability and come up with a risk score and show it to them, as well as the probability of being hacked,” he said. “With 15 years of data, we can show them how they compare to the industry. We are enabling customers to let them better manage their overall cyber program so when they report to the CEO and the board, they will not understand the technical things but can understand the risk profile and effective score. So if they have a conversation around risk appetite and profile, they may invest money into technology or people to help the CISO protect apps and remove the vulnerabilities in code.”

Hinkley said that this is a big push for WhiteHat Security. In that RSA Conference presentation, Hinkley said the audience was asked if a CEO had asked them “are we exposed?”, and three-quarters said yes.

“We say we can tell you so you can go to the CIO and say if you are at risk to vulnerability and what you can do to address it, and what to do now to protect yourself and mitigate the risk. While the industry is scrambling, you can keep calm and carry on.”